Fix: wrap entire Administration section in admin+ check to prevent Security leak for operators

This commit is contained in:
2026-06-07 07:31:34 -04:00
parent e721a34d8f
commit 58be111745

View File

@@ -39,9 +39,9 @@
<div class="nav-submenu-loading"><i class="fas fa-spinner fa-spin"></i></div>
</div>
</li>
<?php if (in_array($_SESSION['user_role'] ?? '', ['super_admin', 'admin'])): ?>
<li class="nav-divider"></li>
<li class="nav-section">Administration</li>
<?php if (in_array($_SESSION['user_role'] ?? '', ['super_admin', 'admin'])): ?>
<li class="nav-item">
<a href="/teams" class="nav-link <?= str_starts_with($_SERVER['REQUEST_URI'] ?? '', '/teams') ? 'active' : '' ?>">
<i class="fas fa-users-cog"></i>
@@ -60,7 +60,6 @@
<span>Audit Logs</span>
</a>
</li>
<?php endif; ?>
<?php if ($_SESSION['user_role'] ?? '' === 'super_admin'): ?>
<li class="nav-item">
<a href="/admin/security" class="nav-link <?= str_starts_with($_SERVER['REQUEST_URI'] ?? '', '/admin/security') ? 'active' : '' ?>">
@@ -69,6 +68,7 @@
</a>
</li>
<?php endif; ?>
<?php endif; ?>
</ul>
</nav>
<div class="sidebar-footer">